Passwords, pin codes, and security

I recently went to visit a friend in a secure building. He didn’t answer his phone when I called from the front door to let me in, but the building had a keypad entrance system.  After a few repeated attempts, I was able to find the correct key code and let myself into the building. When I got to his front door, he was a bit upset that I was able to “hack” into his building. I said it’s pretty easy to figure out PIN codes and passwords because people pick easy to remember numbers, words and patterns. Most of the time you just try the most obvious options first, and you can guess the security code.

In research done by DataGenetics.com in 2012, of the 3.4 million accounts they looked at 11% of people had the PIN code 1234. Over 6% had 1111 and almost 2% had 0000.  Hacking for passwordGiven that knowledge trying only 3 PIN codes gives me about a 20% chance of guessing someone’s personal PIN code.

Passwords for computers, emails, and online accounts are not much different.  Every year hackers post online usernames and passwords they have harvested. SplashData, a password management company, compiles a list of the most common passwords of the year. In 2013 the top three passwords were 123456, password and 12345678. Other common passwords included phrases like amazon, adobe, password1 and one of my favorites: trustno1.

Since most sites require usernames and passwords for access, and our brains are not designed to hold 50 different complex unreadable passwords, many of us opted to make them easy to remember.  Unfortunately, an easy password to remember is an easy password to hack. Below are a couple of things to consider when you create pin codes and passwords to help make them more secure.

PIN codes

  1. Select PIN codes that are random and have no association to you. For example a PIN code of 3976 is much better than a birth year of say 1960. If I know the year you were born, I would make that a PIN code to try.
  2. Select a PIN code that is not an easy visual pattern on a keypad. DataGenetics found 2580 was the 22nd most popular PIN code because it is the numbers down the center of the keypad on your phone.  The code 1397 is an easy guess as well because it is the corners for the phone keypad going clockwise.

 Passwords

  1. Avoid using any part of your login or the site name in your password. If your login to amazon.com is joe.example@fakeemail.com don’t make your password joe123 or Amazon1.
  2. Have a different password for every site. I know this can be a big pain, but if a hacker steals your password at one site, they won’t be able to use it at a different site. Imagine if your password was compromised at some site you used three years ago once, and you only use one password. How many sites do you have to update? How much of your data would be at risk (banking, shopping, investment, email)? With a unique password at each site you can reduce your risk.
  3. Try to use a random password. A password like Fj%9cX44 is much better than F00tballs. While F00tballs has the normal 8 character limit with numbers and upper/lower case letters, hackers are getting smarter and computers are getting faster so simple character substitutions are still risky.
  4. Use an uncommon phrase. For a while, people suggested using a simple phrase such as “ILikeSchool.” However, as the hacking has improved, many security experts now recommend that you use non-sensical sentences as passwords. A phrase such as “eat_baseball_Yards” or “doughnuts around circles” is more difficult to breach.
  5. Try using unique logins for various accounts. If possible, I like to have a login that is unique at each site. Also, if it requires an email address, I like to have a few email accounts I can use for different sites. You can easily sign up for multiple Gmail, Hotmail or Yahoo email accounts.
  6. Use a password management program. If it is really hard to remember all those passwords, there are several programs out there that will securely store your passwords. These programs will store you username and passwords and log you into the website automatically. A quick search for Password Manager in Google or Bing will get you on your way.

As I said above, I don’t think we were meant to remember so many sites, logins and passwords stored in our brains. Writing it down on a piece of paper is just asking for trouble. And storing them in an Excel spreadsheet isn’t any better. There is hope on the horizon. As we work with biometric systems for voice and visual recognition we soon might be able to have our image and voice as our PIN code. We might be able to use a fingerprint and say our name to get in our email. No longer will we need to store all these random phrases, we will only need to remember our name. Oh, and the code to my friend’s building was 2468.

Getting debt under control

I recently had the good fortune of being featured in this article which appeared on the front page of the Seattle Times Business section, and I want to share it with you.

A.J. and Amy are a young couple burdened by debt who did not have the resources to pay for a financial planner. The Seattle Times reached out to me through my affiliation with the Puget Sound Financial Planning Association and asked if I would build them a plan. After several meetings we were able to identify and build a plan around their short and long term goals. I am thrilled to report that they feel like they are finally in control of their debt and retirement savings. Most importantly, they have developed peace of mind around their finances.

Please keep in mind no two investors are alike, this article referenced above is a specific recommendation based on A.J. and Amy’s personal finances. If you would like to give the gift of financial peace of mind, I am always more than happy to help your friends and family develop their own personal plan.

Protecting yourself against electronic wire fraud

It seems like every year thieves become more creative in finding new ways to steal. A disturbing new trend is directly targeting financial advisors and their clients. Financial institutions are seeing a noticeable increase in attempts at fraudulent wire transfers by email “spoofing,” where an email request appears to be sent from the client, but is actually from a fake-but-similar email account (or sometimes it’s the client’s actual account).

Think, for a minute, about the emails you have sent to your advisor. If your email account was hacked, the hacker would have access to all of those emails in your sent folder. They could easily send an email (from “you”!) to your advisor requesting a fund transfer to a third-party bank account, along with convincingly forged letters of authorization. If you’ve ever emailed a scanned copy of something you’ve signed, they have access to your signature too. Often, by the time someone realizes the request is fraudulent, it is often too late. The money is already gone, the transfer cannot be unwound, and the wire fraud theft is complete.

It is our policy to never accept instructions like this via e-mail, but in response to this increased risk, we have trained our employees to identify warning signs of electronic wire fraud attempts. We have also reviewed and improved our procedures to verify a wire transfer request is legitimate before acting on it, particularly in scenarios where the transfer is going to a third party.

However, it’s important to take steps to make sure your information is secure and avoid the possibility of this type of fraud altogether. We use www.box.com to securely share files with our clients and keep that sensitive information out of your inbox.

Just to be safe, here are some tips on how you can help protect your email accounts from being hacked:

  1. Make sure to use secure complex passwords. We recommend choosing a password with a minimum of 8 characters, including upper & lower case letters, numbers and symbols.
  2. Don’t use the same passwords on multiple accounts. If you get hacked in one, they have access to everything.
  3. Use double authentication if possible. This requires you to enter an extra code when logging in from an unrecognized IP address. Click here to learn more about Google’s 2-step verification.
  4. If you get email on your smart phone, make sure the phone is password protected.
  5. Beware of storing documents in your email that contain your signature, social security number, or other non-public personal identifying information. If your account gets hacked, the thief will have everything they need to steal your identity.
  6. Don’t ignore signs that your email account has been hacked, like finding emails you didn’t send in your ‘sent’ folder, or hearing from your friends that they’ve received spam from your email address.
  7. If you do get hacked, be sure to change your passwords immediately! Also call your financial institutions to make sure your accounts have not been compromised.

Have you written your letter of instruction?

image036Maybe you’ve heard of this before. A letter of instruction is a document you write to your executor and family that contains your personalized wishes and instructions for settling your estate. Although it does not carry any legal authority, a letter of instruction can be used to provide tremendous added detail about your financial affairs that doesn’t fit within a will or trust.

One of the most important purposes of a letter of instruction is to lead the person in charge of settling your estate through the process step by step. A good letter of instruction should contain the following:

  • Detailed list of your assets and belongings.
  • Copy of your monthly budget.
  • Login ID and password list.
  • Contact information for financial professionals and beneficiaries.
  • Location of important documents such as the will, trust, deeds, birth certificate, tax returns, bank statements, bills, life insurance, etc.
  • Creditor statements for any mortgages, credit cards or other loans.
  • Location of keys for house, auto or safe deposit box.

A key function of the letter of instruction is to specifically indicate which household belongings go to which heirs. Your will and/or trust will generally only address big ticket items. Through the letter you can decide who receives the family albums, the silverware, stamp collection, artworks or family knickknacks. Providing clear guidance can keep your family from devolving into arguments and resentment when emotions and grief run high.

Burial Arrangements

You can also use a letter of instruction to tell your family how and where you would like to be buried or cremated. You can be as elaborate as you desire. If you want, you can choose funeral readings, pick your flowers, charitable donations, etc. You can even prewrite your own obituary here, so be creative. Whatever your desires, putting your wishes in writing will help reduce guesswork and potential arguments among those who will handle these arrangements when the time comes.

Other Advantages

If desired, you may use the letter of instruction to voice personal requests and your expectations for how your heirs use their inherited assets. After all, these were your possessions! Some people also include their personal values, in a section known as the “ethical will,” which allows you to pass your core values and beliefs down to your family and beneficiaries.

Another benefit of this letter is that you can augment your living will with regard to end of life care, providing more detail about the circumstances under which you want to be kept alive or taken off of life support. This can be very helpful in reducing stress or uncertainty for your family if the health care directive or living will lacks this detail.

Conclusion

Remember, a letter of instruction does not replace a will, durable power of attorney or living will. If you don’t already have these documents in place, you should have them drawn up by a qualified estate planning attorney. A letter of instruction can be a fantastic tool to articulate your final wishes and decisions for your executor and heirs. Be sure to update it periodically and file it along with your other estate planning documents. At its heart, the letter of instruction is a last gift of your voice that you leave to your family, so make it count.

Go fishing, not phishing!

If you use email, you are under constant attack. Every ploy imaginable is being used against you in attempts to get you to open an email that has the goal of connecting you with a website to enter your account number and password information.Phishing concept This “phish” email will look very official, be urgent in nature, and connect you to an official-looking website. Don’t take the bait!

One scheme sends you an email stating that your credit card or bank account at Bank XYZ is going to be closed immediately unless you reset your password by clicking on the attached link. The link will take you to a very official looking Bank XYZ website where you are instructed to type in your current account number and password. They now have your login information and can access your real account directly. Keep this in mind: Banks and other financial organizations will not ask you to provide account and password information via an email. Common scams include more than just trying to get your banking information; be on the lookout for wire transfer requests from friends stuck overseas, lottery winnings, investment schemes, fake checks and pretty much anything related to money.

For a long time we thought it was safe to click links and attachments from people we know, but hackers have gotten much more sophisticated and now use your friends’ email names and addresses that have been harvested from social media or malware. By using the email addresses and names of people you know, they increase the chance that you will open those emails. The links and attachments can often lead to software that will attempt to infect your computer with malware or take you to a bad site. So always use extra caution when you get an email asking you to provide any type of personal information.

How do you protect yourself? First, don’t give out personal information that is requested in an email. Also make sure that the address in the browser matches where you think you should be. If you expect to be at www.paypal.com and the browser says you are at www.stealingyourmoney.com you should leave that site immediately. Of course, it’s not always quite so obvious. But if you look closely, you’ll often be able to detect a discrepancy in the web address.

You should always make sure your computer and devices are patched and up-to-date with the latest security updates. Most major software companies update their software on a regular schedule to help keep security issues down, so don’t avoid those update notifications. Use a firewall and anti-virus software, which will do a good job of keeping a lot malicious items at bay. Most Internet browsers have pop-up blockers that can help reduce your risk as well. Finally, if you are unsure if the email is real, call the person who sent it to you and ask them about it.

In the end, you are the last line of defense. Always be skeptical of things that don’t seem quite right. While in the real world it may be admirable to trust the good intentions of others, things are not always what they seem in the online world, and it is best to have your best defenses forward.

Spring cleaning: 10 ways to freshen up your financial situation

After cleaning the garage, packing away your winter clothes and cleaning the windows, turn your spring cleaning efforts to your finances. Here are ten ideas to freshen up your financial situation:

1.      Reduce paper: Most banks, brokerages, credit cards, and utilities offer online delivery and storage of statements and bills. Sit down with your paper statements and see how many you can move to online. You will save the time spent opening mail, remove clutter and help the environment.

2.      Pay your bills online: Sign up for an online bill payment service if you don’t already. Set up automatic payments for recurring bills.

3.      Purge: Get a good shredder and use it aggressively. You really don’t need the water bill from two years ago. Purge! This can also help reduce your risk of identity theft.

4.      Eliminate redundancies: Eliminating clutter is not only about getting rid of paper; Identify what accounts are redundant and can be combined and/or closed.

5.      Organize: Get a label maker and create a small, efficient filing system.

6.      Reduce costs: Review bills you get from cable and phone companies, because when contracts expire they may revert to higher charges. Give them a call and you’ll be surprised how easy it is to have your rates reduced.

7.      Check your coverage: Review your insurance coverage to make sure that it is appropriate for you.

8.      Compare interest rates: Make sure your banks and credit cards are competitive for their fees and interest rates.

9.      Track your goals: Create easy-to-use systems for tracking your big picture goals, including a simple budget, college savings, and retirement.

10.  Think about getting help: Identify what areas you may need professional help, and create a plan to interview candidates.